Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston



Similar documents
Cloud Computing and Records Management

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

Business System Recordkeeping Assessment - Digital Recordkeeping Compliance

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI v1.0

LEGAL ISSUES IN CLOUD COMPUTING

Online/Cloud Services Trust challenges & eidentity-aspects

INFORMATION TECHNOLOGY SECURITY STANDARDS

John Essner, CISO Office of Information Technology State of New Jersey

HIPAA Privacy & Security White Paper

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Anatomy of a Cloud Computing Data Breach

IT Forum UW-Madison Records Management Program. UW Archives and Records Management

How To Manage Cloud Data Safely

Cloud Computing Security Considerations

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

UNIVERSITY OF MANITOBA PROCEDURE

R345, Information Technology Resource Security 1

Cloud Software Services for Schools

Privacy and Cloud Computing for Australian Government Agencies

Information Management Advice 18 - Managing records in business systems Part 1: Checklist for decommissioning business systems

RECORD AND INFORMATION MANAGEMENT FRAMEWORK FOR ONTARIO SCHOOL BOARDS/AUTHORITIES

Cloud Computing: Legal Risks and Best Practices

Decision on adequate information system management. (Official Gazette 37/2010)

Management: A Guide For Harvard Administrators

Information Technology: This Year s Hot Issue - Cloud Computing

Office of Inspector General

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Standard Statement Data and System Security

Vendor Audit Questionnaire

Cloud Service Contracts: An Issue of Trust

The Next Generation of Security Leaders

Retention & Disposition in the Cloud Do you really have control?

Newcastle University Information Security Procedures Version 3

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

SERVICE SCHEDULE INFRASTRUCTURE AND PLATFORM SERVICES

How To Use Egnyte

Guideline 1. Cloud Computing Decision Making. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Cloud Software Services for Schools

Office 365 Data Processing Agreement with Model Clauses

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

HIPAA Security Matrix

Copyright Telerad Tech RADSpa. HIPAA Compliance

Procedure Title: TennDent HIPAA Security Awareness and Training

How To Protect Decd Information From Harm

HIPAA Compliance Guide

XIT CLOUD SOLUTIONS LIMITED

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Electronic Records Storage Options and Overview

Records and Information Management and Retention

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

Information Security Team

Information Technology General Controls (ITGCs) 101

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

Practical Overview on responsibilities of Data Protection Officers. Security measures

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Security Is Everyone s Concern:

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Security Alert

NHS Business Services Authority Records Management Audit Framework

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

ISO Controls and Objectives

How To Protect A Hampden County Hmis From Being Hacked

Scotland s Commissioner for Children and Young People Records Management Policy

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Supplier Security Assessment Questionnaire

NSW Government. Cloud Services Policy and Guidelines

Big Data, Big Risk, Big Rewards. Hussein Syed

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

The Risks of Cloud Storage

Union County. Electronic Records and Document Imaging Policy

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

San Francisco Chapter. Information Systems Operations

Projectplace: A Secure Project Collaboration Solution

Cloud Computing Governance & Security. Security Risks in the Cloud

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Records Management Policy

Transcription:

Protecting Official Records as Evidence in the Cloud Environment Anne Thurston

Introduction In a cloud computing environment, government records are held in virtual storage. A service provider looks after much of the maintenance, but the government still owns the records, and government agencies still must comply with legal requirements. The records still are essential for protecting citizens rights and entitlements, demonstrating accountability, and providing the basis for data credibility.

Record Keeping Requirements Cloud computing has obvious benefits and less obvious risks. The risks are mainly in relation to how records and data, particularly in terms of their security and integrity, are managed in the cloud. Records management requirements for official records must be defined in relation to legal requirements, for instance for personal and financial information, access to information, privacy, data protection, and disaster recovery.

Requirements Metadata (data describing the context, content and structure of records) is essential to demonstrate that the records are authentic and to make it possible to access and interpret them over time. Metadata must be captured when the records are created and then, through system logs and audit trails, to document how the records are used and any changes to their structure.

Risks 1 Records and data can be lost or corrupted unintentionally or as the result of unauthorised action by a malicious insider, a hacker or a shared server user. 2 The service provider may not be able to preserve records with very long retention periods, such as property or pension records. 3 The records may not be returned at the end of contract or they may be returned in a format that the agency finds difficult to access or use.

Risks 4 A lack of standardised interfaces can make it difficult or expensive to transfer services or information from one cloud provider to another. 5 Service providers may not share audit logs documenting access to applications and services and how they are used. In this case, it is not possible to demonstrate authenticity, integrity and legal compliance.

Risk Assessment Some records management applications can be integrated with cloud computing services, but many cloud computing services lack records functionality, and cloud architectures often lack technical standards for records storage and use. A risk assessment should be carried out when a contract is negotiated to insure that information integrity and security can be protected.

Questions for a Risk Assessment 1 Does the service provider have experience of implementing records management solutions in the cloud? Have the records requirements been defined; can the service provider demonstrate the ability to meet the requirements? 2 What are the provisions for preventing hackers and security threats? Is there information, for instance personnel records, that is too sensitive or important to be held in the cloud computing environment?

Risk Assessment 3 What back-up arrangements are in place to ensure that records and the associated structure and metadata can be restored if anything happens to them? 4 Will the records will be available when 24/7 access is required? 5 Can the service provider demonstrate that the information will be stored in acceptable jurisdictions?

Risk Assessment 6 When the contract ends, will all records be returned to the agency within an agreed timeframe and in an acceptable format? 7 What are the provisions for external risk auditing, certification and monitoring, and how are they enforced? How often is the provider audited by external bodies, and when did the last audit take place? How are incidents reported and addressed? 8 Who will have access to the records and what controls will govern third party access?

Risk Assessment 9 Is the provider s system functionality capable of accommodating the required metadata fields? Can additional metadata fields be added as needed? 10 Does the vendor provide certificates of destruction? 9 Are there provisions for transferring records with permanent value to secure long-term storage (Trusted Digital Repositories)?

Risk Assessment If you are planning for cloud computing in your country, it is important to assess the risks for official records.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information